[PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs

2016-07-17 Thread David Howells 
From: Mat Martineau 

Arbitrary X.509 certificates without authority key identifiers (AKIs)
can be added to "trusted" keyrings, including IMA or EVM certs loaded
from the filesystem. Signature verification is currently bypassed for
certs without AKIs.

Trusted keys were recently refactored, and this bug is not present in
4.6.

restrict_link_by_signature should return -ENOKEY (no matching parent
certificate found) if the certificate being evaluated has no AKIs,
instead of bypassing signature checks and returning 0 (new certificate
accepted).

Reported-by: Petko Manolov 
Signed-off-by: Mat Martineau 
Signed-off-by: David Howells 
---

 crypto/asymmetric_keys/restrict.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/restrict.c 
b/crypto/asymmetric_keys/restrict.c
index ac4bddf669de..19d1afb9890f 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring,
 
sig = payload->data[asym_auth];
if (!sig->auth_ids[0] && !sig->auth_ids[1])
-   return 0;
+   return -ENOKEY;
 
if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
return -EPERM;

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/3] PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined

2016-07-17 Thread David Howells 
From: Lans Zhang 

This fix resolves the following kernel panic if an empty or missing
AuthorityKeyIdentifier is encountered and DEBUG is defined in
pkcs7_verify.c.

[  459.041989] PKEY: <==public_key_verify_signature() = 0
[  459.041993] PKCS7: Verified signature 1
[  459.041995] PKCS7: ==> pkcs7_verify_sig_chain()
[  459.041999] PKCS7: verify Sample DB Certificate for SCP: 01
[  459.042002] PKCS7: - issuer Sample KEK Certificate for SCP
[  459.042014] BUG: unable to handle kernel NULL pointer dereference at 
  (null)
[  459.042135] IP: [] pkcs7_verify+0x72c/0x7f0
[  459.042217] PGD 739e6067 PUD 77719067 PMD 0
[  459.042286] Oops:  [#1] PREEMPT SMP
[  459.042328] Modules linked in:
[  459.042368] CPU: 0 PID: 474 Comm: kexec Not tainted 
4.7.0-rc7-WR8.0.0.0_standard+ #18
[  459.042462] Hardware name: To be filled by O.E.M. To be filled by 
O.E.M./Aptio CRB, BIOS 5.6.5 10/09/2014
[  459.042586] task: 880073a5 ti: 8800738e8000 task.ti: 
8800738e8000
[  459.042675] RIP: 0010:[]  [] 
pkcs7_verify+0x72c/0x7f0
[  459.042784] RSP: 0018:8800738ebd58  EFLAGS: 00010246
[  459.042845] RAX:  RBX: 880076b7da80 RCX: 0006
[  459.042929] RDX: 0001 RSI: 81c85001 RDI: 81ca00a9
[  459.043014] RBP: 8800738ebd98 R08: 0400 R09: 8800788a304c
[  459.043098] R10:  R11: 60ca R12: 8800769a2bc0
[  459.043182] R13: 880077358300 R14:  R15: 8800769a2dc0
[  459.043268] FS:  7f24cc741700() GS:880074e0() 
knlGS:
[  459.043365] CS:  0010 DS:  ES:  CR0: 80050033
[  459.043431] CR2:  CR3: 73a36000 CR4: 001006f0
[  459.043514] Stack:
[  459.043530]   ffbf0020 31ff813e68b0 
0002
[  459.043644]  8800769a2bc0  007197b8 
0002
[  459.043756]  8800738ebdd8 81153fb1  

[  459.043869] Call Trace:
[  459.043898]  [] verify_pkcs7_signature+0x61/0x140
[  459.043974]  [] verify_pefile_signature+0x2cb/0x830
[  459.044052]  [] ? verify_pefile_signature+0x830/0x830
[  459.044134]  [] bzImage64_verify_sig+0x15/0x20
[  459.046332]  [] arch_kexec_kernel_verify_sig+0x29/0x40
[  459.048552]  [] SyS_kexec_file_load+0x1f4/0x6c0
[  459.050768]  [] ? __do_page_fault+0x1b6/0x550
[  459.052996]  [] entry_SYSCALL_64_fastpath+0x17/0x93
[  459.055242] Code: e8 0a d6 ff ff 85 c0 0f 88 7a fb ff ff 4d 39 fd 4d 89 7d 
08 74 45 4d 89 fd e9 14 fe ff ff 4d 8b 76 08 31 c0 48 c7 c7 a9 00 ca 81 <41> 0f 
b7 36 49 8d 56 02 e8 d0 91 d6 ff 4d 8b 3c 24 4d 85 ff 0f
[  459.060535] RIP  [] pkcs7_verify+0x72c/0x7f0
[  459.063040]  RSP 
[  459.065456] CR2: 
[  459.075998] ---[ end trace c15f0e897cda28dc ]---

Signed-off-by: Lans Zhang 
Signed-off-by: David Howells 
Cc: Dave Young 
Cc: Baoquan He 
Cc: Vivek Goyal 
cc: linux-crypto@vger.kernel.org
cc: ke...@lists.infradead.org
---

 crypto/asymmetric_keys/pkcs7_verify.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/pkcs7_verify.c 
b/crypto/asymmetric_keys/pkcs7_verify.c
index 44b746e9df1b..2ffd69769466 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message 
*pkcs7,
if (asymmetric_key_id_same(p->id, auth))
goto found_issuer_check_skid;
}
-   } else {
+   } else if (sig->auth_ids[1]) {
auth = sig->auth_ids[1];
pr_debug("- want %*phN\n", auth->len, auth->data);
for (p = pkcs7->certs; p; p = p->next) {

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/3] pefile: Fix the failure of calculation for digest

2016-07-17 Thread David Howells 
From: Lans Zhang 

Commit e68503bd68 forgot to set digest_len and thus cause the following
error reported by kexec when launching a crash kernel:

kexec_file_load failed: Bad message

Fixes: e68503bd68 (KEYS: Generalise system_verify_data() to provide access to 
internal content)
Signed-off-by: Lans Zhang 
Tested-by: Dave Young 
Signed-off-by: David Howells 
Cc: Baoquan He 
Cc: Vivek Goyal 
cc: ke...@lists.infradead.org
cc: linux-crypto@vger.kernel.org
---

 crypto/asymmetric_keys/mscode_parser.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/mscode_parser.c 
b/crypto/asymmetric_keys/mscode_parser.c
index 6a76d5c70ef6..9492e1c22d38 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen,
struct pefile_context *ctx = context;
 
ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
-   return ctx->digest ? 0 : -ENOMEM;
+   if (!ctx->digest)
+   return -ENOMEM;
+
+   ctx->digest_len = vlen;
+
+   return 0;
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 0/3] KEYS: Miscellaneous fixes

2016-07-17 Thread David Howells 

Hi James,

Here are three miscellaneous fixes:

 (1) Fix a panic in some debugging code in PKCS#7.  This can only happen by
 explicitly inserting a #define DEBUG into the code.

 (2) Fix the calculation of the digest length in the PE file parser.  This
 causes a failure where there should be a success.

 (3) Fix the case where an X.509 cert can be added as an asymmetric key to
 a trusted keyring with no trust restriction if no AKID is supplied.

Bugs (1) and (2) aren't particularly problematic, but (3) allows a security
check to be bypassed.  Bug (3) is added since the 4.6 kernel.

The patches can be found here also:


http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes

at tag:

keys-fixes-20160718

David
---
Lans Zhang (2):
  PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
  pefile: Fix the failure of calculation for digest

Mat Martineau (1):
  KEYS: Fix for erroneous trust of incorrectly signed X.509 certs


 crypto/asymmetric_keys/mscode_parser.c |7 ++-
 crypto/asymmetric_keys/pkcs7_verify.c  |2 +-
 crypto/asymmetric_keys/restrict.c  |2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [V2][PATCH 1/2] PKCS#7: Fix kernel panic when referring to the empty AuthorityKeyIdentifier

2016-07-17 Thread David Howells 
Lans Zhang  wrote:

> Let me know if I need to add this comment to commit header.

I've done that.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html